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Abstract — So-called non-local boxes, which have been intro- 
duced as an idealization — in different respects — of the behavior 
of entangled quantum states, have been known to allow for 
unconditional bit commitment between the two involved parties. 
We show that, actually, any possible non-local correlation which 
produces random bits on both sides can be used to implement 
bit commitment, and that this holds even when the parties are 
allowed to delay their inputs to the box. Since a particular 
example is the behavior of an EPR pair, this resource allows 
for implementing unconditionally secure bit commitment as long 
as the parties cannot entangle their Qbits with any other system. 



I. Introduction and Preliminaries 
A. Previous Work and Our Result 

Since cryptographic functionalities often cannot be realized 
in an unconditionally secure way from scratch, it is an inter- 
esting problem to find simple and weak information-theoretic 
primitives from which they can be realized. A particular class 
of such underlying primitives are those which stem from 
quantum physics. For instance, Bennett and Brassard have 
shown that two parties can generate a common secret key 
in an unconditionally secure way if they are connected by a 
quantum channel [1]. 

Another central result in this context by Mayers [11] states 
that it is impossible to realize bit commitment in an uncon- 
ditionally secure way for both parties, even when they are 
connected by a quantum channel. It is important to note that 
the latter result even holds when the parties share a given pure 
state, for instance an EPR pair, 
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initially. Roughly speaking, an attacker can entangle his part of 
the state. Actually, it is a consequence of our results that every 
attack requires to use such entanglement: Bit commitment 
from a shared EPR pair is possible as soon as the parties 
cannot entangle their respective systems with any other system. 

In order to get a better understanding of quantum-physical 
phenomena such as entanglement or non-locality, the behavior 
of quantum states has often been modeled as "boxes," i.e., 
conditional probability distributions characterizing the joint 
input-output behavior of the two- (or more) partite system. 
A particular box that has been well-studied recently [3], [4], 
[5], [6], [9], [13], [14], [10] is the so-called non-local box 
[12], or NL box for short, the behavior of which does actually 
not correspond to the behavior of any quantum state, but 



is an idealization thereof. (The NL box is, however, also 
"non-signaling," i.e., its behavior does not allow for message 
transmission). It has been shown in [15] that such an NL 
box is essentially equivalent to oblivious transfer: A single 
realization of one primitive perfectly allows for realizing the 
other. Interestingly, this fact implies that oblivious transfer is, 
as the NL box, symmetric, i.e., its direction can be perfectly 
inverted for free. 

Since oblivious transfer allows for bit commitment, this 
result seems to contradict Mayers' impossibility theorem. It 
does not, however, since an NL box is not a quantum state, 
and it is a natural question what the decisive difference is. 
In [13], it has been suggested that it is the fact that in the 
quantum setting, a party can delay her measurement. In [5] 
it was shown, however, that NL boxes which do allow such 
a delay as well can nevertheless be used to implement bit 
commitment. Another potential reason is that the non-locahty 
of the NL box is "superstrong," i.e., stronger than the one of 
any quantum state. In this paper, we show that this is not the 
case either: Even weak non-local behaviors do the job, for 
instance the one arising from EPR pairs. We can, therefore, 
conclude that the crucial point is that in the quantum setting, 
a party can entangle her system with another, but not in the 
case of a box. In other words, such states do actually allow for 
bit commitment as long as the parties cannot entangle their 
system with any other. 

B. Definitions and Preliminaries 

Definition 1: A bit commitment scheme is a pair of proto- 
cols Commit and Open executed between two parties, A and 
B. First, Commit is executed, where A has an input v and B 
has no input. B can either accept or reject the execution of 
Commit. Then, Open is executed, where B has an output v' . 
B either accepts or rejects the execution of Open. The two 
protocols must have the following properties: 

• Correctness. If both parties are honest, then B should 
always accept, with v' — v. 

• Privacy. If A is honest, then the execution of Commit 
does not reveal any information about v to B. 

• Binding. If B is honest and accepts after the execution 
of Commit, then there exists only one value v' (which is 
equal to i; if A is honest) that B accepts as output after 
the execution of Open. 

Definition 2: A non-signaling box (NS box for short) is a 
box to which Alice can input a value X and Bob a value 



Y. Alice then gets a value A G {0, 1} and Bob gets a value 
B e {0,1} such that Pv[A = a,B = b\X = x,Y = y] = 
Pab\xy{(1: b, X, y). (Here, we assume that a party receives its 
output immediately after giving her input, independently of 
whether the other has already given his input or not. Note 
that the non-signaling condition impUes that this is possible.) 
Furthermore, the following conditions must hold: 

• Non-signaling. For all values i,x,y G {0, 1}, we have 
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y] = 1/2, 
y] = 1/2. 



. Dependence. Pab\xy 7^ Pa\xPb\y- 

Note that the non-signaling condition means that the output 
of one player is independent of the input of the other, thus 
the box does not allow for message transmission. If we had 
Pab\xy = Pa\x Pb\y , the box would just consist of two 
local channels. This is excluded by the second condition, but 
the dependence can be arbitrarily weak. In particular, it may be 
some correlation that can be simulated using an EPR pair. The 
above-mentioned NL box is a special case of a non-signaling 
box, where we have -Pab|xy(o, b, x, y) = 1/2 a®b = xy 
and otherwise. 

We now introduce two technical lemmas used later. 

Lemma 1 (Chernoff): Let Xi, X2, . . . , X„ be independent 
random variables with Pr[Xj = 1] = p and Pr[Xj = 0] = 
1 — p. Let X = ^i- For ™y i > we have 

Pr[X > E[X] +t] < e"^*'/" , 



Pr[X > E[X] - t] 
Lemma 2: For any n we have 
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Proof: Let Xi,X2, . ■ . ,Xn be independent random 
variables with Pr[X, = 1] = 1/2 and Pr[Xi = 0] = 1/2. 
Let X = J2i=i ^i- We have 



Pr[X<r]=±(%-r^. 



Using the Chernoff inequality, setting r = n/2 — t, we get 

Pr[X < r] < e-2*Vn < 2-»/2+2r-2rVn ^ 



and therefore 
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II. Bit Commitment from any Non-Signaling Box 

In this section, we show how to realize unconditionally 

secure bit commitment from any NS box. Let n be the number 
of calls to the NS box. Let s = r?l^ be a security parameter, 
let fci = n^/^, ki = 8fci -\- 2s, m = n/2 + 4fci + s, and 
d = 2fci+fc2 + l. Let, finally, ? > and fc > ni+2s+l. Let C C 
{0,1}" be a (n, A:, (i)-Unear code, i.e., with 2*^ elements and 



minimal distance d. Since we do not have to decode C, we can 
use a random Unear code. If fc < {1 — H{d/n))n — s a random 
code has a minimal distance of at least d with probability at 
least 1— 2~*. Since k = /+n/2+o(ra) and d/n = o(l), we can 
choose l = n/2- o{n). Let h : {0, 1}* x {0, 1}" ^ {0, 1}™ 
and ext : {0, 1}* x {0, 1}" {0, 1}' be universial hash 
functions. Let v S {0, 1}'. 
Protocol 1: Commit(w). 

• Alice chooses x Gr C, Bob chooses y €r {0, 1}". 

• Alice and Bob input x and y component-wise to the NS 
box. Alice gets a e {0, 1}" and Bob gets b e {0, 1}". 

• Bob chooses ri Gr {0, 1}* and sends it to Alice. 
« Alice sends Bob h{ri,a). 

• AUce chooses r2 €r {0,1}* and sends {r2,v ® 
ext(r2, a;)) to Bob. 

Protocol 2: Open(). 

• Alice sends Bob x, a, and v. 

• Bob checks whether x G C holds, h{ri,a) is cor- 
rect, whether the sequence {ai,bi,Xi,yi) has the right 
statistics, i.e., is distributed according to Pabxy = 
PxPyPab\xy, and whether v © ext(r2,a;) is correct. 
If all these checks are ok, he accepts and outputs v. 
Otherwise, he rejects. 

In the following we will show that these two protocols 
implement bit commitment, i.e., that it satisfies the three 
conditions correctness, privacy, and binding. 

Lemma 3: The protocols Commit and Open satisfy the 
correctness condition with an error negligible in n. 

Proof: Bob always accepts Commit. If AUce follows 
the protocols, then h{x) and u©ext(r2, a;) will be correct and 
X € C holds. Furthermore, with overwhelming probability, the 
sequence (a^, bi,Xi,yi) will have the right statistics. Therefore, 
Bob accepts Open with overwhelming probability and outputs 
V, the value Alice was commited to. ■ 

Bob cannot cheat actively since he does not send any 
message. The following lemma proves that he does not get 
any information if Alice is honest. 

Lemma 4: The protocols Commit and Open satisfy the 
privacy condition with an error of at most 2"*. 

Proof Let us assume that Alice is honest. We will show 
that with probability at least 1 — 2^", Bob does not get any 
information about v before the opening. Since the box is non- 
signaling, Bob's values y and 6 are independent of x. Since 
AUce chooses x uniformely, its min-entropy is equal to k. 
The additional randomness r2 is independent of x, so all the 
information Bob gets about x is h(ri,x), which has length 
m. Therefore, Bob's min-entropy about x is at least k — m. 
It follows from the leftover hash lenrnia [8], [2], [7] that 
extracting / ~ fc — m — 2,s bits makes the key uniform with 
an error of at most 2~*. So Bob does not get any information 
about V with probabiUty at least 1 — 2~*. ■ 

It remains to be shown that the protocols are binding. 
Without loss of generaUty, we can assume that Alice will 
finally give some input to all the boxes. Let her i-th input be 
Xi, and let her outcome be ai. Of course, she is not supposed 
to send Bob the true values but she may change some 



of them. However, if she changes more than ki = r?l^ values 
Xi or a-i, the sequence {ai,bi,Xi,yi) will have the correct 
statistics only with negligible probability. A malicious Alice 
may also choose not to give input values to some of the boxes 
until the opening phase. Let the number of these values be fc2- 
Lemma 5: If Alice does not input any values to at least ^2 
calls to the NS box, the probability that there exists a value 
a' that has a Hamming distance of at most fci from her final 
value a such that a') = h is at most 2^"+^. 

Proof: Alice has to send a hash value h before the 
opening phase. In the opening phase, she inputs the remaining 
k2 values to the box and gets random outputs for them. So 
she gets randomly one out of 2^^^ possible values for a. She 
can freely choose h, so she may also choose a value such 
that h{ri, ah) = h. The probability that the Hamming distance 
between ah and a is smaller than fci is at most 
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For any value a' ^ a^, the probability that h{ri,a') = ft, is 
equal to 2^™. So the probability that there is another value 
a' with Hamming distance of at most ki near a, such that 

h{ri, a') = /i is at most 
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The statement follows. We have applied Lemma |2] twice. ■ 

In order to be able to open a commitment to two different 
values V and v', Alice needs to find two strings x and x' which 
are compatible with the commitment and such that her success 
probability is maximized. We will now show that under certain 
conditions, there never exist two values x and x' such that Bob 
would accept the opening for both. 

Lemma 6: If Alice changes only fci pairs and delays only 
fc2 inputs, then the protocol is binding as long as 2fci + fc2 < d- 
Proof: Any two valid inputs strings x and x' have a 
distance of at least d. If we ignore all the positions where 
Alice did not input anything to the box, x and x' still have a 
distance of at least d — k2 values. Only one x' G C is closer 
than {d — fc2)/2 to the x that Alice has chosen. ■ 

We are now able to prove the binding condition. 

Lemma 7: The protocols Commit and Open satisfy the 
binding condition with an error negligible in n. 

Proof: If Alice changes at least fci = n^^^ values, she has 
only exponentially small probability of success. Otherwise, if 
she does not input anything to at least fc2 calls to the box, she 
has a probability of success of at most 2^''+^. But otherwise, 
she will not be able to cheat, if 2fci + fc2 < d. Hence, her 
overall success probability is negligible. ■ 

Theorem 1: There exists a reduction of bit commitment to 
any NS box. 



III. Conclusions 

We have shown that unconditionally secure bit commitment 
between two parties can be obtained from any bi-partite 
"input-output box" which produces random bits on both sides, 
does not allow for signaling, and is not "separable" (i.e., 
consists of two independent channels on both sides). It is 
important to note that, as in [5], this result even holds when 
this box is such that each party can choose to delay certain 
inputs (without the other party being aware of this: the box 
will produce an output on the other side nevertheless). An 
example of behavior such a box can have is the one of an 
EPR pair under measurements. This result does not contradict 
Mayers' famous impossibility result since such boxes are 
not quantum, and do not allow the parties to entangle their 
parts of the system with another system, an operation — this 
is a consequence of our results — necessary to carry out a 
successful attack. 
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